1*6236dae4SAndroid Build Coastguard Worker--- 2*6236dae4SAndroid Build Coastguard Workerc: Copyright (C) Daniel Stenberg, <[email protected]>, et al. 3*6236dae4SAndroid Build Coastguard WorkerSPDX-License-Identifier: curl 4*6236dae4SAndroid Build Coastguard WorkerShort: E 5*6236dae4SAndroid Build Coastguard WorkerLong: cert 6*6236dae4SAndroid Build Coastguard WorkerArg: <certificate[:password]> 7*6236dae4SAndroid Build Coastguard WorkerHelp: Client certificate file and password 8*6236dae4SAndroid Build Coastguard WorkerProtocols: TLS 9*6236dae4SAndroid Build Coastguard WorkerCategory: tls 10*6236dae4SAndroid Build Coastguard WorkerAdded: 5.0 11*6236dae4SAndroid Build Coastguard WorkerMulti: single 12*6236dae4SAndroid Build Coastguard WorkerSee-also: 13*6236dae4SAndroid Build Coastguard Worker - cert-type 14*6236dae4SAndroid Build Coastguard Worker - key 15*6236dae4SAndroid Build Coastguard Worker - key-type 16*6236dae4SAndroid Build Coastguard WorkerExample: 17*6236dae4SAndroid Build Coastguard Worker - --cert certfile --key keyfile $URL 18*6236dae4SAndroid Build Coastguard Worker--- 19*6236dae4SAndroid Build Coastguard Worker 20*6236dae4SAndroid Build Coastguard Worker# `--cert` 21*6236dae4SAndroid Build Coastguard Worker 22*6236dae4SAndroid Build Coastguard WorkerUse the specified client certificate file when getting a file with HTTPS, FTPS 23*6236dae4SAndroid Build Coastguard Workeror another SSL-based protocol. The certificate must be in PKCS#12 format if 24*6236dae4SAndroid Build Coastguard Workerusing Secure Transport, or PEM format if using any other engine. If the 25*6236dae4SAndroid Build Coastguard Workeroptional password is not specified, it is queried for on the terminal. Note 26*6236dae4SAndroid Build Coastguard Workerthat this option assumes a certificate file that is the private key and the 27*6236dae4SAndroid Build Coastguard Workerclient certificate concatenated. See --cert and --key to specify them 28*6236dae4SAndroid Build Coastguard Workerindependently. 29*6236dae4SAndroid Build Coastguard Worker 30*6236dae4SAndroid Build Coastguard WorkerIn the \<certificate\> portion of the argument, you must escape the character 31*6236dae4SAndroid Build Coastguard Worker`:` as `\:` so that it is not recognized as the password delimiter. Similarly, 32*6236dae4SAndroid Build Coastguard Workeryou must escape the double quote character as \" so that it is not recognized 33*6236dae4SAndroid Build Coastguard Workeras an escape character. 34*6236dae4SAndroid Build Coastguard Worker 35*6236dae4SAndroid Build Coastguard WorkerIf curl is built against OpenSSL library, and the engine pkcs11 is available, 36*6236dae4SAndroid Build Coastguard Workerthen a PKCS#11 URI (RFC 7512) can be used to specify a certificate located in 37*6236dae4SAndroid Build Coastguard Workera PKCS#11 device. A string beginning with `pkcs11:` is interpreted as a 38*6236dae4SAndroid Build Coastguard WorkerPKCS#11 URI. If a PKCS#11 URI is provided, then the --engine option is set as 39*6236dae4SAndroid Build Coastguard Worker`pkcs11` if none was provided and the --cert-type option is set as `ENG` if 40*6236dae4SAndroid Build Coastguard Workernone was provided. 41*6236dae4SAndroid Build Coastguard Worker 42*6236dae4SAndroid Build Coastguard WorkerIf curl is built against GnuTLS library, a PKCS#11 URI can be used to specify 43*6236dae4SAndroid Build Coastguard Workera certificate located in a PKCS#11 device. A string beginning with `pkcs11:` 44*6236dae4SAndroid Build Coastguard Workeris interpreted as a PKCS#11 URI. 45*6236dae4SAndroid Build Coastguard Worker 46*6236dae4SAndroid Build Coastguard Worker(iOS and macOS only) If curl is built against Secure Transport, then the 47*6236dae4SAndroid Build Coastguard Workercertificate string can either be the name of a certificate/private key in the 48*6236dae4SAndroid Build Coastguard Workersystem or user keychain, or the path to a PKCS#12-encoded certificate and 49*6236dae4SAndroid Build Coastguard Workerprivate key. If you want to use a file from the current directory, please 50*6236dae4SAndroid Build Coastguard Workerprecede it with `./` prefix, in order to avoid confusion with a nickname. 51*6236dae4SAndroid Build Coastguard Worker 52*6236dae4SAndroid Build Coastguard Worker(Schannel only) Client certificates must be specified by a path expression to 53*6236dae4SAndroid Build Coastguard Workera certificate store. (Loading *PFX* is not supported; you can import it to a 54*6236dae4SAndroid Build Coastguard Workerstore first). You can use "\<store location\>\\<store name\>\\<thumbprint\>" 55*6236dae4SAndroid Build Coastguard Workerto refer to a certificate in the system certificates store, for example, 56*6236dae4SAndroid Build Coastguard Worker*"CurrentUser\MY\934a7ac6f8a5d579285a74fa61e19f23ddfe8d7a"*. Thumbprint is 57*6236dae4SAndroid Build Coastguard Workerusually a SHA-1 hex string which you can see in certificate details. Following 58*6236dae4SAndroid Build Coastguard Workerstore locations are supported: *CurrentUser*, *LocalMachine*, 59*6236dae4SAndroid Build Coastguard Worker*CurrentService*, *Services*, *CurrentUserGroupPolicy*, 60*6236dae4SAndroid Build Coastguard Worker*LocalMachineGroupPolicy* and *LocalMachineEnterprise*. 61